Panther Audit Logs
Logs for audited activity in your Panther instance
Panther audit logs provide a read-only history of activity within your Panther deployment. With Panther audit logs as a log source enabled, you can write detections or query the data lake for audit logs the same way you would with any other security events ingested by Panther.
Audit logging does not currently include an exhaustive list of all activity in Panther (such as references to specific log sources, cloud accounts, and destinations). Note that when using the Panther Analysis Tool via an API Token, PAT actions are included in audit logs. If using the IAM method, PAT actions are not logged.
If you have any questions about this feature, reach out to Panther Support.
Audit logs are automatically generated, but must be enabled by your Panther support team to use them as a log source.
Audit logs are retained by default for 5 years in AWS S3.
The fields of the audit log are listed below along with information on the fields type and whether it is a required field.
Attribute | Description | Text | Required |
|---|---|---|---|
actionName | The action that was attempted. | String | true |
actionDescription | An optional brief description of the action attempted. | String | false |
actionResult | The result of the action that was attempted. | String - SUCCEEDED, FAILED, or PARTIALLY_FAILED | true |
actionParams | The parameters supplied that were relevant to the action being attempted. Values are grouped under dynamic and static keys based on the way they were provided to the operation | Dict | false |
actionDetails | Additional metadata and/or details about the action being attempted. | Dict | false |
actor | Identifying information about the actor. | Dict | true |
actor.id | The ID of the actor that attempted the action. | String | true |
actor.type | The type of actor (user/token). | String - USER or TOKEN | true |
actor.name | The name of the actor that attempted the action. | String | false |
actor.attributes | The attributes of the actor that attempted the action. | Dict | false |
errors | Errors encountered while performing the action. | List | false |
errors.message | The error message for the error encountered. | String | false |
sourceIP | The IP address from which the request originated. | String | false |
XForwardedFor | All IP addresses included in the X-Forwarded-Header. | List | false |
userAgent | String | false | |
timestamp | The date/time at which the action was attempted. | String | true |
pantherVersion | The version of this Panther instance at the time the action was attempted. | String | true |
Last modified 11d ago