AWS ALB

Connecting AWS ALB logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Application Load Balancer (ALB) logs via AWS S3.

How to onboard AWS ALB logs to Panther

To pull ALB logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS Application Load Balancer.

  5. Select AWS S3 Bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for data transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported ALB logs

AWS.ALB

Application Load Balancer logs layer 7 network logs for your application load balancer. For more information, see AWS's documentation on ALB access logs.

schema: AWS.ALB
parser:
  native:
    name: AWS.ALB
description: Application Load Balancer logs Layer 7 network logs for your application load balancer.
referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
fields:
  - name: type
    required: true
    description: The type of request or connection.
    type: string
  - name: timestamp
    required: true
    description: The time when the load balancer generated a response to the client (UTC). For WebSockets, this is the time when the connection is closed.
    type: timestamp
    timeFormat: rfc3339
  - name: elb
    description: The resource ID of the load balancer. If you are parsing access log entries, note that resources IDs can contain forward slashes (/).
    type: string
  - name: clientIp
    description: The IP address of the requesting client.
    type: string
  - name: clientPort
    description: The port of the requesting client.
    type: bigint
  - name: targetIp
    description: The IP address of the target that processed this request.
    type: string
  - name: targetPort
    description: The port of the target that processed this request.
    type: bigint
  - name: requestProcessingTime
    description: The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the request until the time it sent it to a target. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout.
    type: float
  - name: targetProcessingTime
    description: The total time elapsed (in seconds, with millisecond precision) from the time the load balancer sent the request to a target until the target started to send the response headers. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout.
    type: float
  - name: responseProcessingTime
    description: The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the response header from the target until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the client. This value is set to -1 if the load balancer can't send the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request.
    type: float
  - name: elbStatusCode
    required: true
    description: The status code of the response from the load balancer.
    type: bigint
  - name: targetStatusCode
    description: The status code of the response from the target. This value is recorded only if a connection was established to the target and the target sent a response.
    type: bigint
  - name: receivedBytes
    description: The size of the request, in bytes, received from the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes received from the client on the connection.
    type: bigint
  - name: sentBytes
    description: The size of the response, in bytes, sent to the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes sent to the client on the connection.
    type: bigint
  - name: requestHttpMethod
    description: The HTTP method parsed from the request.
    type: string
  - name: requestUrl
    description: The HTTP URL parsed from the request.
    type: string
  - name: requestHttpVersion
    description: The HTTP version parsed from the request.
    type: string
  - name: userAgent
    description: A User-Agent string that identifies the client that originated the request. The string consists of one or more product identifiers, product[/version]. If the string is longer than 8 KB, it is truncated.
    type: string
  - name: sslCipher
    description: '[HTTPS listener] The SSL cipher. This value is set to NULL if the listener is not an HTTPS listener.'
    type: string
  - name: sslProtocol
    description: '[HTTPS listener] The SSL protocol. This value is set to NULL if the listener is not an HTTPS listener.'
    type: string
  - name: targetGroupArn
    description: The Amazon Resource Name (ARN) of the target group.
    type: string
  - name: traceId
    description: The contents of the X-Amzn-Trace-Id header.
    type: string
  - name: domainName
    description: "[HTTPS listener] The SNI domain provided by the client during the TLS handshake. This value is set to NULL if the client doesn't support SNI or the domain doesn't match a certificate and the default certificate is presented to the client."
    type: string
  - name: chosenCertArn
    description: '[HTTPS listener] The ARN of the certificate presented to the client. This value is set to session-reused if the session is reused. This value is set to NULL if the listener is not an HTTPS listener.'
    type: string
  - name: matchedRulePriority
    description: The priority value of the rule that matched the request. If a rule matched, this is a value from 1 to 50,000. If no rule matched and the default action was taken, this value is set to 0. If an error occurs during rules evaluation, it is set to -1. For any other error, it is set to NULL.
    type: bigint
  - name: requestCreationTime
    description: The time when the load balancer received the request from the client.
    type: timestamp
    timeFormat: rfc3339
  - name: actionsExecuted
    description: The actions taken when processing the request. This value is a comma-separated list that can include the values described in Actions Taken. If no action was taken, such as for a malformed request, this value is set to NULL.
    type: array
    element:
      type: string
  - name: redirectUrl
    description: The URL of the redirect target for the location header of the HTTP response. If no redirect actions were taken, this value is set to NULL.
    type: string
  - name: errorReason
    description: The error reason code. If the request failed, this is one of the error codes described in Error Reason Codes. If the actions taken do not include an authenticate action or the target is not a Lambda function, this value is set to NULL.
    type: string
  - name: targetPortList
    description: A space-delimited list of IP addresses and ports for the targets that processed this request, enclosed in double quotes. Currently, this list can contain one item and it matches the target:port field.
    type: array
    element:
      type: string
      indicators:
        - net_addr
  - name: targetStatusList
    description: A space-delimited list of status codes from the responses of the targets, enclosed in double quotes. Currently, this list can contain one item and it matches the target_status_code field. This value is recorded only if a connection was established to the target and the target sent a response. Otherwise, it is set to -.
    type: array
    element:
      type: string
  - name: classification
    description: The classification for desync mitigation, enclosed in double quotes. If the request does not comply with RFC 7230, the possible values are Acceptable, Ambiguous, and Severe. If the request complies with RFC 7230, this value is set to -.
    type: string
  - name: classificationReason
    description: The classification reason code, enclosed in double quotes. If the request does not comply with RFC 7230, this is one of the classification codes described in Classification reasons. If the request complies with RFC 7230, this value is set to -.
    type: string

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated