Panther Audit Logs

Logs for audited activity in your Panther instance

Overview

Panther audit logs provide a read-only history of activity within your Panther deployment. When Panther audit logs are enabled as a log source, you can write detections or query the data lake for audit logs the same way you would with any other security events ingested by Panther. Learn more on Querying and Writing Detections for Panther Audit Logs.

Which actions are recorded in audit logs

Audit logging does not currently include an exhaustive list of all activity in Panther (such as references to specific log sources, cloud accounts, and destinations). See all actions recorded by audit logs in Panther Audit Log Actions.

Actions made using the Panther Analysis Tool (PAT) will only generate audit logs if authentication is performed using an API token. PAT actions that authenticate using a legacy method, such as an IAM role, will not generate audit logs.

Actions taken in a Slack Bot alert are included in audit logs.

Retention

Audit logs are retained by default for 5 years in AWS S3.

Enabling audit logs as a log source

Audit logs are automatically generated, but must be enabled as a log source to write detections on them. The action of enabling audit logs is itself captured as a CREATE_LOG_SOURCE audit log, and a new log source is created. Disabling audit logs does not generate an audit log. Only users with the Edit Settings & SAML Preferences permission can enable audit logs.

Unlike other log sources, a log drop-off alarm cannot be configured for Panther audit logs.

To enable audit logs as a log source:

  1. In the upper-right corner of your Panther Console, click the gear icon, then General.

  2. On the Main Information tab, to the right of Enable Panther Audit Logs, click the toggle ON.

  3. Click Save Changes.

Panther-managed detections

See Panther-managed rules for Panther audit logs in the panther-analysis GitHub repository.

Audit log reference

Schema

The fields of the audit log are listed below along with information on the fields type and whether it is a required field.

AttributeDescriptionRequired

actionName

The action that was attempted.

String

true

actionDescription

An optional brief description of the action attempted.

String

false

actionResult

The result of the action that was attempted.

String - SUCCEEDED, FAILED, or PARTIALLY_FAILED

true

actionParams

The parameters supplied that were relevant to the action being attempted. Values are grouped under dynamic and static keys based on the way they were provided to the operation

Dict

false

actionDetails

Additional metadata and/or details about the action being attempted.

Dict

false

actor

Identifying information about the actor.

Dict

true

actor.id

The ID of the actor that attempted the action.

String

true

actor.type

The type of actor (user/token).

String -USER or TOKEN

true

actor.name

The name of the actor that attempted the action.

String

false

actor.attributes

The attributes of the actor that attempted the action.

Dict

false

errors

Errors encountered while performing the action.

List

false

errors.message

The error message for the error encountered.

String

false

sourceIP

The IP address from which the request originated.

String

false

XForwardedFor

All IP addresses included in the X-Forwarded-Header.

List

false

userAgent

Information about the actor's browser, or slackbot if the action was initiated via Slack Bot.

String

false

timestamp

The date/time at which the action was attempted.

String

true

pantherVersion

The version of this Panther instance at the time the action was attempted.

String

true

Last updated