Panther Audit Logs
Logs for audited activity in your Panther instance
Last updated
Was this helpful?
Logs for audited activity in your Panther instance
Last updated
Was this helpful?
Panther audit logs provide a read-only history of activity within your Panther deployment. When Panther audit logs are enabled as a log source, you can write detections or query the data lake for audit logs the same way you would with any other security events ingested by Panther. Learn more on .
Audit logging does not currently include an exhaustive list of all activity in Panther (such as references to specific log sources, cloud accounts, and destinations). See all actions recorded by audit logs in .
Actions made using the will only generate audit logs if authentication is performed using an . PAT actions that authenticate using a legacy method, such as an IAM role, will not generate audit logs.
Actions taken in a are included in audit logs.
Audit logs are retained by default for 5 years in AWS S3.
Audit logs are automatically generated, but must be enabled as a log source to write detections on them. The action of enabling audit logs is itself captured as a CREATE_LOG_SOURCE
audit log, and a new log source is created. Only users with the Edit Settings & SAML Preferences permission can enable audit logs.
Disabling audit logs does not generate an audit log.
Unlike other log sources, a cannot be configured for Panther audit logs.
To enable audit logs as a log source:
In the upper-right corner of your Panther Console, click the gear icon, then General.
On the Main Information tab, to the right of Enable Panther Audit Logs, click the toggle ON
.
Click Save Changes.
The fields of the audit log are listed below along with information on the fields type and whether it is a required field.
actionName
The action that was attempted.
String
true
actionDescription
An optional brief description of the action attempted.
String
false
actionResult
The result of the action that was attempted.
String - SUCCEEDED
, FAILED
, or PARTIALLY_FAILED
true
actionParams
The parameters supplied that were relevant to the action being attempted. Values are grouped under dynamic
and static
keys based on the way they were provided to the operation
Dict
false
actionDetails
Additional metadata and/or details about the action being attempted.
Dict
false
actor
Identifying information about the actor.
Dict
true
actor.id
The ID of the actor that attempted the action.
String
true
actor.type
The type of actor (user/token).
String -USER
or TOKEN
true
actor.name
The name of the actor that attempted the action.
String
false
actor.attributes
The attributes of the actor that attempted the action.
Dict
false
errors
Errors encountered while performing the action.
List
false
errors.message
The error message for the error encountered.
String
false
sourceIP
The IP address from which the request originated.
String
false
XForwardedFor
All IP addresses included in the X-Forwarded-Header.
List
false
userAgent
String
false
timestamp
The date/time at which the action was attempted.
String
true
pantherVersion
The version of this Panther instance at the time the action was attempted.
String
true
See rules for Panther audit logs in the .
Information about the actor's browser, or slackbot
if the action was initiated via .