Panther Audit Logs
Logs for audited activity in your Panther instance
Panther audit logs provide a read-only history of activity within your Panther deployment. When Panther audit logs are enabled as a log source, you can write detections or query the data lake for audit logs the same way you would with any other security events ingested by Panther. Learn more on Querying and Writing Detections for Panther Audit Logs.
Audit logging does not currently include an exhaustive list of all activity in Panther (such as references to specific log sources, cloud accounts, and destinations).
If you have any questions about this feature, reach out to Panther Support.
Audit logs are automatically generated, but must be enabled as a log source to write detections on them. The action of enabling audit logs is itself captured as a
CREATE_LOG_SOURCEaudit log. Disabling audit logs does not generate an audit log. Only users with the Edit Settings & SAML Preferences permission can enable audit logs.
To enable audit logs as a log source:
- 1.In the upper-right corner of your Panther Console, click the gear icon, then General.
- 2.On the Main Information tab, to the right of Enable Panther Audit Logs, click the toggle
- 3.Click Save Changes.
Audit logs are retained by default for 5 years in AWS S3.
The fields of the audit log are listed below along with information on the fields type and whether it is a required field.