AWS CloudWatch

Connecting AWS CloudWatch logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) CloudWatch Events via common Data Transport options: AWS S3, AWS SQS, or via a direct CloudWatch integration.

Panther also supports ingesting logs stored in CloudWatch. For more information, see the documentation on using CloudWatch Logs as a Data Transport.

How to onboard AWS CloudWatch events to Panther

To pull CloudWatch logs into Panther, you will need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search "AWS" to see the list of available log sources.

  4. Select AWS CloudWatch Events.

  5. Select a transport method for your source to begin setup, and follow the respective Panther documentation below:

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported AWS CloudWatch logs

AWS.CloudWatchEvents

CloudWatch Events describe changes in AWS resources. For more information, see AWS's documentation on CloudWatch Events patterns.

schema: AWS.CloudWatchEvents
parser:
  native:
    name: AWS.CloudWatchEvents
description: CloudWatch Events describe changes in AWS resources.
referenceURL: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html
fields:
  - name: id
    required: true
    description: A unique value is generated for every event. This can be helpful in tracing events as they move through rules to targets, and are processed.
    type: string
  - name: account
    required: true
    description: The 12-digit number identifying an AWS account.
    type: string
  - name: source
    required: true
    description: Identifies the service that sourced the event. All events sourced from within AWS begin with 'aws'. Customer-generated events can have any value here, as long as it doesn't begin with 'aws'. We recommend the use of Java package-name style reverse domain-name strings.
    type: string
  - name: resources
    required: true
    description: This JSON array contains ARNs that identify resources that are involved in the event. Inclusion of these ARNs is at the discretion of the service. For example, Amazon EC2 instance state-changes include Amazon EC2 instance ARNs, Auto Scaling events include ARNs for both instances and Auto Scaling groups, but API calls with AWS CloudTrail do not include resource ARNs.
    type: array
    element:
      type: string
  - name: region
    required: true
    description: Identifies the AWS region where the event originated.
    type: string
  - name: detail-type
    required: true
    description: Identifies, in combination with the source field, the fields and values that appear in the detail field.
    type: string
  - name: version
    required: true
    description: By default, this is set to 0 (zero) in all events.
    type: string
  - name: time
    required: true
    description: The event timestamp, which can be specified by the service originating the event. If the event spans a time interval, the service might choose to report the start time, so this value can be noticeably before the time the event is actually received.
    type: timestamp
    timeFormat: rfc3339
  - name: detail
    required: true
    description: A JSON object, whose content is at the discretion of the service originating the event. The detail content in the example above is very simple, just two fields. AWS API call events have detail objects with around 50 fields nested several levels deep.
    type: json

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated