AWS Config

Connecting AWS Configuration logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Config configuration snapshot logs via AWS S3.

How to onboard AWS Config logs to Panther

After AWS Config is configured to generate configuration snapshot logs via the AWS CLI, they will be sent to an S3 bucket.

To then pull these logs into Panther, you will need to set up an S3 bucket in the Panther Console.

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “AWS Config,” then click its tile.
- On the next screen, the Transport Mechanism dropdown in the upper right corner will be populated with the AWS S3 Bucket option.
Click Start Setup.
Follow Panther’s documentation for configuring S3 for data transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported AWS Config logs

AWS.Config

Record and evaluate snapshots of your AWS resources' configurations. For more information, see AWS's documentation on how Config works.

The event time (p_event_time) is the time the snapshot was created.

schema: AWS.Config
fields:
  - name: relatedEvents
    description: RelatedEvents field
    type: array
    element:
      type: json
  - name: relationships
    description: Relationships field
    type: array
    element:
      type: object
      fields:
        - name: resourceId
          description: ResourceId field
          type: string
        - name: resourceType
          description: ResourceType field
          type: string
        - name: name
          description: Name field
          type: string
  - name: configuration
    required: true
    description: Configuration field
    type: json
  - name: supplementaryConfiguration
    description: SupplementaryConfiguration field
    type: json
  - name: tags
    description: Tags field
    type: json
  - name: configurationItemVersion
    description: ConfigurationItemVersion field
    type: string
  - name: configurationItemCaptureTime
    required: true
    description: ConfigurationItemCaptureTime field
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: configurationStateId
    description: ConfigurationStateId field
    type: bigint
  - name: awsAccountId
    required: true
    description: AwsAccountId field
    type: string
    indicators:
      - aws_account_id
  - name: configurationItemStatus
    description: ConfigurationItemStatus field
    type: string
  - name: resourceType
    required: true
    description: ResourceType field
    type: string
  - name: resourceId
    description: ResourceId field
    type: string
  - name: resourceName
    description: ResourceName field
    type: string
  - name: ARN
    description: ARN field
    type: string
    indicators:
      - aws_arn
  - name: awsRegion
    description: AwsRegion field
    type: string
  - name: availabilityZone
    description: AvailabilityZone field
    type: string
  - name: configurationStateMd5Hash
    description: ConfigurationStateMd5Hash field
    type: string
    indicators:
      - md5
  - name: resourceCreationTime
    description: ResourceCreationTime field
    type: timestamp
    timeFormat: rfc3339

PreviousAWS Aurora NextAWS CloudWatch

Last updated 2 years ago

Was this helpful?

schema: AWS.Config fields: - name: relatedEvents description: RelatedEvents field type: array element: type: json - name: relationships description: Relationships field type: array element: type: object fields: - name: resourceId description: ResourceId field type: string - name: resourceType description: ResourceType field type: string - name: name description: Name field type: string - name: configuration required: true description: Configuration field type: json - name: supplementaryConfiguration description: SupplementaryConfiguration field type: json - name: tags description: Tags field type: json - name: configurationItemVersion description: ConfigurationItemVersion field type: string - name: configurationItemCaptureTime required: true description: ConfigurationItemCaptureTime field type: timestamp timeFormat: rfc3339 isEventTime: true - name: configurationStateId description: ConfigurationStateId field type: bigint - name: awsAccountId required: true description: AwsAccountId field type: string indicators: - aws_account_id - name: configurationItemStatus description: ConfigurationItemStatus field type: string - name: resourceType required: true description: ResourceType field type: string - name: resourceId description: ResourceId field type: string - name: resourceName description: ResourceName field type: string - name: ARN description: ARN field type: string indicators: - aws_arn - name: awsRegion description: AwsRegion field type: string - name: availabilityZone description: AvailabilityZone field type: string - name: configurationStateMd5Hash description: ConfigurationStateMd5Hash field type: string indicators: - md5 - name: resourceCreationTime description: ResourceCreationTime field type: timestamp timeFormat: rfc3339