Island Logs

Panther supports ingesting Island Enterprise Browser logs via AWS S3

Overview

Panther ingests Island Enterprise Browser logs through an AWS S3 source, which monitors logs exported by Island. Island gives organizations complete control, visibility, and governance over browser activity, with access and security policies embedded directly within the browser where users, applications, and data intersect.

Island exports logs to an S3 bucket in your AWS account. Panther ingests three types of Island logs:

Audit logs: Administrative actions and authentication events
Browser Audit logs: Browser activity, DLP violations, and security threats
System Event logs: Device enrollment, lifecycle, and retention events

How to onboard Island logs to Panther

Prerequisites

An active Island Enterprise Browser subscription with administrative access
An AWS account where Island can export logs
Permissions to create S3 sources in your Panther Console

Step 1: Configure Island to export logs to AWS S3

Detailed instructions for configuring the Island AWS S3 integration are available in the Island Documentation Portal (requires Management Console login).

Log in to your Island Management Console.
Navigate to the AWS S3 integration settings.
Configure Island to export logs to an S3 bucket in your AWS account.
- Make note of the S3 bucket name and prefix where Island will write logs. You will need these in Step 2.
Configure which log types to export (Audit, Browser Audit, and System Events are supported by Panther).
Save your configuration.

Island will begin exporting logs to your S3 bucket based on your configuration.

Step 2: Create a new Island source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Island", then click its tile.
Click Start Setup.
Follow Panther's instructions for configuring an AWS S3 source.
- Use the S3 bucket name and prefix that Island is writing logs to.
- While configuring the S3 bucket source in Panther, we recommend adding a prefix filter of *.json to ensure Panther only processes Island JSON log files.
On the Configuration page:
- Enter a descriptive Name, e.g., Island Enterprise Browser Logs.
- The Log Types will automatically detect Island.Audit, Island.BrowserAudit, and Island.SystemEvent.
Complete the setup wizard.
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Island.Audit

Island Audit logs track administrative actions and authentication events within the Island Management Console, including user management, role changes, and system configuration modifications.

Reference: Island AWS S3 Integration Documentation

schema: Island.Audit
description: |
    Island Audit logs provide visibility into administrative actions and authentication events
    within the Island Management Console. These logs help track user management, role changes,
    and system configuration modifications.
referenceURL: https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration
fields:
    - name: id
      required: true
      description: Unique identifier for the audit event
      type: string
    - name: tenant_id
      required: true
      description: Island tenant identifier
      type: string
    - name: timestamp
      required: true
      description: Event timestamp in RFC3339 format
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: source
      description: Audit event source (e.g., AdminAction, SystemEvent)
      type: string
    - name: action
      description: Action performed (e.g., Create, View, Login, AddUserToRole)
      type: string
    - name: audit_type
      description: Category of the audit event (e.g., Authentication, UserManagement, AdminManagement)
      type: string
    - name: email
      description: Email address of the user performing the action
      type: string
      indicators:
        - email
    - name: user_id
      description: Identifier of the user performing the action
      type: string
      indicators:
        - username
    - name: entity_id
      description: Identifier of the entity affected by the action
      type: string
    - name: entity_name
      description: Name of the entity affected by the action
      type: string
    - name: entity_type
      description: Type of the entity affected by the action
      type: string
    - name: source_ip
      description: IP address from which the action originated
      type: string
      indicators:
        - ip

Island.BrowserAudit

Island Browser Audit logs capture detailed browser activity, including navigation events, file downloads, DLP violations, and security verdicts. These logs provide comprehensive visibility into user interactions with web applications and potential security threats.

Reference: Island AWS S3 Integration Documentation

schema: Island.BrowserAudit
description: |
    Island Browser Audit logs capture detailed browser activity including navigation events,
    file downloads, DLP violations, screen recordings, and security verdicts. These logs
    provide comprehensive visibility into user interactions with web applications and
    potential security threats.
referenceURL: https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration
fields:
    - name: id
      required: true
      description: Unique identifier for the browser audit event
      type: string
    - name: tenant_id
      required: true
      description: Island tenant identifier
      type: string
    - name: timestamp
      required: true
      description: Event timestamp in RFC3339 format
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: source
      description: Event source (always "BrowserAudit" for this log type)
      type: string
    - name: type
      description: Type of browser event (e.g., Navigation, Download, ScreenRecording)
      type: string
    - name: version
      description: Schema version for the event
      type: string
    - name: signature
      description: Event signature for validation
      type: string
    - name: details
      description: Additional event details in JSON format
      type: json
    - name: client_event_id
      description: Client-side event identifier
      type: string
    - name: email
      description: Email address of the user
      type: string
      indicators:
        - email
    - name: user_id
      description: User identifier
      type: string
      indicators:
        - username
    - name: user_name
      description: Display name of the user
      type: string
    - name: device_id
      description: Island device identifier
      type: string
    - name: machine_id
      description: Machine identifier
      type: string
    - name: machine_name
      description: Machine hostname
      type: string
      indicators:
        - hostname
    - name: os_platform
      description: Operating system platform (e.g., Windows, macOS, iOS)
      type: string
    - name: os_user_name
      description: Operating system username
      type: string
      indicators:
        - username
    - name: source_ip
      description: Private/internal IP address of the device
      type: string
      indicators:
        - ip
    - name: public_ip
      description: Public IP address of the device
      type: string
      indicators:
        - ip
    - name: country
      description: Country name based on IP geolocation
      type: string
    - name: country_code
      description: ISO country code based on IP geolocation
      type: string
    - name: region
      description: Region or state based on IP geolocation
      type: string
    - name: verdict
      description: Security verdict for the event (e.g., Allowed, Blocked, Warned)
      type: string
    - name: verdict_reason
      description: Reason for the security verdict
      type: string
    - name: rule_id
      description: Identifier of the policy rule that triggered the verdict
      type: string
    - name: rule_name
      description: Name of the policy rule that triggered the verdict
      type: string
    - name: matched_device_posture
      description: Device posture information at the time of the event (JSON)
      type: json
    - name: compatibility_mode
      description: Browser compatibility mode setting
      type: string
    - name: tab_id
      description: Browser tab identifier
      type: string
    - name: window_id
      description: Browser window identifier
      type: string
    - name: top_level_url
      description: Top-level URL being accessed
      type: string
      indicators:
        - url
        - domain
    - name: frame_url
      description: Frame URL for iframe events
      type: string
      indicators:
        - url
        - domain
    - name: url_web_categories
      description: Web categories assigned to the URL
      type: array
    - name: url_web_reputation
      description: Web reputation score for the URL
      type: string
    - name: saas_application_id
      description: Identifier of the detected SaaS application
      type: string
    - name: saas_application_name
      description: Name of the detected SaaS application
      type: string
    - name: saas_application_category
      description: Category of the detected SaaS application
      type: string
    - name: screenshot_file_name
      description: Filename of captured screenshot (if applicable)
      type: string
    - name: lineage_ids
      description: Lineage tracking identifiers for related events
      type: array
    - name: is_island_private_access
      description: Indicates if Island Private Access was used
      type: boolean
    - name: client_sending_date
      description: Timestamp when the client sent the event
      type: timestamp
      timeFormat: rfc3339
    - name: processed_date
      description: Timestamp when Island processed the event
      type: timestamp
      timeFormat: rfc3339
    - name: origin
      description: Origin of the event
      type: string

Island.SystemEvent

Island System Event logs track device management operations, system alerts, and infrastructure events within the Island platform, including device retention, lifecycle management, and system health.

Reference: Island AWS S3 Integration Documentation

schema: Island.SystemEvent
description: |
    Island System Event logs track device management operations, system alerts, and
    infrastructure events within the Island platform. These logs help monitor device
    retention, lifecycle management, and system health.
referenceURL: https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration
fields:
    - name: id
      required: true
      description: Unique identifier for the system event
      type: string
    - name: tenant_id
      required: true
      description: Island tenant identifier
      type: string
    - name: timestamp
      required: true
      description: Event timestamp in RFC3339 format
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: source
      description: Event source (always "SystemEvent" for this log type)
      type: string
    - name: type
      description: System event type (e.g., Deleted Inactive Device)
      type: string
    - name: category
      description: Event category (e.g., DeviceManagement)
      type: string
    - name: sub_category
      description: Event sub-category (e.g., RETENTION)
      type: string
    - name: severity
      description: Event severity level (Info, Warning, Critical)
      type: string
    - name: primary_entity_id
      description: Identifier of the primary entity affected by the event
      type: string
    - name: primary_entity_name
      description: Name of the primary entity affected by the event (e.g., device name)
      type: string

PreviousIru Logs (Beta)NextJamf Pro Logs

Last updated 1 month ago

Was this helpful?