Standard Fields
Panther's log analysis applies normalization fields (IPs, domains, etc) to all log records. These fields provide standard names for attributes across all data sources enabling fast and easy data correlation.
For example, each data source has a time that an event occurred, but each data source will likely not name the attribute the same, nor is it guaranteed that the associated time has a timezone consistent with other data sources.
The Panther attribute
p_event_time is mapped to each data source's corresponding event time and normalized to UTC. This way you can query over multiple data sources joining and ordering by p_event_time to properly align and correlate the data despite the disparate schemas of each data source.All appended standard fields begin with
p_The fields below are appended to all log records:
Field Name | Type | Description |
p_log_type | string | The type of log. |
p_row_id | string | Unique id (UUID) for the row. |
p_event_time | timestamp | The associated event time for the log type is copied here and normalized to UTC.
Format: YYYY-MM-DD HH:MM:SS.fff |
p_parse_time | timestamp | The current time when the event was parsed, normalized to UTC.
Format: YYYY-MM-DD HH:MM:SS.fff |
p_source_id | string | The Panther generated internal id for the source integration. |
p_source_label | string | The user supplied label for the source integration (may change if edited). |
If an event does not have a timestamp, then
p_event_time will be set to p_parse_time, which is the time the event was parsed.The
p_source_id and p_source_label fields are very useful for knowing where the data originated. For example, you might have multiple CloudTrail sources registered with Panther, each with a unique name (e.g., "Dev Accounts", "Production Accounts", "HR Accounts", etc.). These fields allow you to easily separate data based on the source which can be very useful to use in Panther rules as well as business intelligence (BI) reporting.In addition, the fields below are appended to log records of all tables in the
panther_rule_matches database:Field Name in panther_rule_matches | Type | Description of Field |
p_alert_id | string | Id of alert related to row. |
p_alert_creation_time | timestamp | Time of alert creation related to row. |
p_alert_context | object | A JSON object returned from the rule's alert_context() function. |
p_alert_severity | string | The severity level of the rule at the time of the alert. This could be different from the default severity as it can be dynamically set. |
p_alert_update_time | timestamp | Time of last alert update related to row. |
p_rule_id | string | The id of the rule that generated the alert. |
p_rule_error | string | The error message if there was an error running the rule. |
p_rule_reports | map[string]array[string] | List of user defined rule reporting tags related to row. |
p_rule_severity | string | The default severity of the rule. |
p_rule_tags | array[string] | List of user defined rule tags related to row. |
A common security question is, “Was
some indicator ever observed in any of our logs?” Panther's Indicator Search enables you to find the answer by searching across data from all of your various log sources.As log events are ingested, the
indicators field in their corresponding schema identifies which fields should have their values extracted into p_any_ fields, which are appended to and stored with the event. The table below shows which p_any_ field(s) data is extracted into, by indicator.When constructing a custom schema, you can use the values in the Indicator Name column in the table below in your schema's
indicators field. Each of the rows (except for aws_arn_only, hostname, net_addr, and url) corresponds to a value in Indicator Search's Field dropdown. Note that field name/value pairs outside of the fields in the table below can be searched with Indicator Search's Simple Search functionality—though because those fields have not been mapped to corresponding ones (with different syntax) in different log sources, only matches from log sources containing the exact field name searched will be returned.
Indicator Name | Extracted into fields | Description |
|---|---|---|
actor_id | p_any_actor_ids | Append value to p_any_actor_ids. |
aws_account_id | p_any_aws_account_ids | If the value is a valid AWS account id then append to p_any_aws_account_ids. |
aws_arn | p_any_aws_arns,
p_any_aws_instance_ids,
p_any_aws_account_ids,
p_any_emails
| If value is a valid AWS ARN then append to p_any_aws_arns.
If the ARN contains an AWS account id, extract and append to p_any_aws_account_ids.
If the ARN contains an EC2 instance id, extract and append to p_any_aws_instance_ids.
If the ARN references an AWS STS Assume Role and contains and email address, then extract email address into p_any_emails.
|
aws_arn_only | p_any_aws_arns | If value is a valid AWS ARN then append to p_any_aws_arns. |
aws_instance_id | p_any_aws_instance_ids | If the value is a valid AWS instance id then append to p_any_aws_instance_ids. |
aws_tag | p_any_aws_tags | Append value into p_any_aws_tags. |
domain | p_any_domain_names | Append value to p_any_domain_names. |
email | p_any_emails | If value is a valid email address then append value into p_any_emails. |
hostname | p_any_domain_names, p_any_ip_addresses | Append value to p_any_domain_names.
If value is a valid ipv4 or ipv6 address then append to p_any_ip_addresses. |
ip | p_any_ip_addresses | If value is a valid ipv4 or ipv6 address then append to p_any_ip_addresses. |
mac | p_any_mac_addresses | If a value is a valid IEEE 802 MAC-48, EUI-48, EUI-64, or a 20-octet IP over InfiniBand link-layer address then append to p_any_mac_addresses. |
md5 | p_any_md5_hashes | If the value is a valid md5 then append value into p_any_md5_hashes. |
net_addr | p_any_domain_names, p_any_ip_addresses | Extracts from values of the form <host>:<port>.
Append host portion to p_any_domain_names.
If host portion is a valid ipv4 or ipv6 address then append to p_any_ip_addresses. |
serial_number | p_any_serial_numbers | Append value to p_any_serial_numbers.
This feature is in closed beta starting with Panther version 1.69. To share any bug reports or feature requests, please contact your Panther support team. |
sha1 | p_any_sha1_hashes | If the value is a valid sha1 then append to p_any_sha1_hashes. |
sha256 | p_any_sha256_hashes | If the value is a valid sha256 then append to p_any_sha256_hashes. |
trace_id | p_any_trace_ids | Append value to p_any_trace_ids.
Tag fields such as session ids and document ids that are used to associated elements with other logs in order to trace the full activity of a sequence of related events. |
url | p_any_domain_names, p_any_ip_addresses | Parse url, extract the host portion after "http://" or "https://".
Append host portion to p_any_domain_names.
If host portion is a valid ipv4 or ipv6 address then append to p_any_ip_addresses. |
username | p_any_usernames | Append value into p_any_usernames. |
The Panther rules engine will take the looked up matches from Lookup Tables (BETA) and append that data to the event using the key
p_enrichment in the following JSON structure:{
'p_enrichment': {
<name of lookup table>: {
<key in log that matched>: <matching row looked up>,
...
<key in log that matched>: <matching row looked up>,
} }
}
Enrichment Field Name | Type | Description of Enrichment Field |
|---|---|---|
p_enrichment | array[object] | List of lookup results where matching rows were found. |
Panther manages a view over all data sources with standard fields.
This allows you to ask questions such as "was there any activity from some-bad-ip and if so where?".
The query below will show how many records (by log type) are associated with IP address
95.123.145.92:Snowflake
Athena
SELECT
p_log_type, count(1) AS row_count
FROM panther_views.public.all_logs
WHERE p_occurs_between('2020-1-30', '2020-1-31')
AND array_contains('95.123.145.92'::variant, p_any_ip_addresses)
GROUP BY p_log_type
SELECT
p_log_type, count(1) AS row_count
FROM panther_views.all_logs
WHERE p_occurs_between('2020-1-30', '2020-1-31')
AND contains(p_any_ip_addresses, '95.123.145.92')
GROUP BY p_log_type
From these results, you can pivot to the specific logs where activity is indicated.
The Panther standard fields can be used in rules. For example, this rule triggers when any GuardDuty alert is on a resource tagged as 'critical':
Example Panther Rule
Last modified 3d ago