AWS EKS
Connecting AWS EKS logs to your Panther Console
Overview
Panther supports ingesting Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) logs via AWS CloudWatch Logs.
EKS cannot send logs directly S3—instead, you'll need to direct your EKS logs to CloudWatch Logs, then configure a Kinesis Data Firehose to transport them to a S3 bucket, from which Panther will read them.
How to onboard AWS EKS logs to Panther
Step 1: Enable EKS control plane logging
Enabling EKS control plane logs means AWS will begin routing them to CloudWatch Logs.
Follow AWS's documentation to enable EKS control plane logging.
When configuring logging in the EKS Console, make sure to only enable logging for Audit and Authenticator log types, as Panther does not currently support the other log types.
Step 2: Configure the CloudWatch Logs source in the Panther Console
After you've enabled EKS control plane logging, your EKS audit and authenticator logs will be available in CloudWatch Logs. Now it's time to set up a CloudWatch Logs source in Panther.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Click the Custom Log Formats tile.
On the AWS CloudWatch Logs tile, click Start.
On the "Configure your source" page, fill in the fields:
Name: Enter a descriptive name of the CloudWatch Logs source.
Log Group Name: Enter the unique name of the CloudWatch Logs group. The name format of your AWS CloudWatch Logs LogGroup is
/aws/eks/{your_cluster_name}/clusterAWS Account ID: Enter the ID number for the AWS account that hosts the EKS cluster.
(optional) Pattern Filter: Enter a pattern on which to filter log events. See AWS's CloudWatch Logs pattern filter documentation to learn more.
Log Types: Select
Amazon.EKS.AuditandAmazon.EKS.Authenticator.
Click Setup.
Step 3: Set up the S3 bucket, Kinesis Data Firehose, and IAM role
Panther needs a variety of AWS resources to read objects from your CloudWatch Logs source. To configure these, Panther provides a CloudFormation template that sets up a S3 bucket, Kinesis Data Firehose, IAM role, and other necessary resources.
In the Panther Console, click Using the AWS Console UI. You will be redirected to the AWS CloudFormation console UI with the template pre-filled.
Note that you also have the options to download the template and apply it through your own pipeline, or to configure the resources manually. For more details, see the CloudWatch Logs Source documentation.
Install the CloudFormation stack template into the AWS account ID and region that hosts the EKS cluster.
Make sure to wait for the CloudFormation stack creation to complete.
When the CloudFormation stack is ready, fill in the Bucket Name and Role ARN in the Panther Console.
After the CloudFormation stack creation is complete, you can find the resource ARNs in the "Outputs" section of the stack in AWS.
Step 4: Finish source setup in Panther
You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Panther-built detections
See Panther's prewritten AWS rules in the panther-analysis GitHub repository.
Supported AWS EKS log types
Panther supports Amazon.EKS.Audit and Amazon.EKS.Authenticator logs.
Amazon.EKS.Audit
EKS audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see AWS's documentation on EKS control plane logs.
fields:
- name: responseObject
type: object
fields:
- name: secrets
type: array
element:
type: object
fields:
- name: name
required: true
type: string
- name: rules
type: array
element:
type: object
fields:
- name: apiGroups
type: array
element:
type: string
- name: resources
type: array
element:
type: string
- name: verbs
type: array
element:
type: string
- name: spec
type: json
- name: apiVersion
type: string
- name: kind
type: string
- name: metadata
type: object
fields:
- name: namespace
type: string
- name: annotations
type: json
- name: creationTimestamp
type: timestamp
timeFormats:
- rfc3339
- name: labels
type: json
- name: managedFields
type: array
element:
type: object
fields:
- name: apiVersion
type: string
- name: fieldsType
type: string
- name: manager
type: string
- name: operation
type: string
- name: time
type: timestamp
timeFormats:
- rfc3339
- name: name
type: string
- name: resourceVersion
type: string
- name: uid
type: string
- name: ownerReferences
type: json
- name: requestObject
type: object
fields:
- name: rules
type: array
element:
type: object
fields:
- name: apiGroups
type: array
element:
type: string
- name: resources
type: array
element:
type: string
- name: verbs
type: array
element:
type: string
- name: spec
type: json
- name: apiVersion
type: string
- name: kind
type: string
- name: metadata
type: object
fields:
- name: annotations
type: json
- name: namespace
type: string
- name: labels
type: json
- name: name
type: string
- name: ownerReferences
type: json
- name: resourceVersion
type: string
- name: status
type: object
fields:
- name: $setElementOrder/conditions
type: array
element:
type: object
fields:
- name: type
type: string
- name: conditions
type: array
element:
type: object
fields:
- name: lastHeartbeatTime
type: timestamp
timeFormats:
- rfc3339
- name: type
type: string
- name: objectRef
type: object
fields:
- name: subresource
type: string
- name: resourceVersion
type: string
- name: uid
type: string
- name: namespace
type: string
- name: name
type: string
- name: apiGroup
type: string
- name: apiVersion
required: true
type: string
- name: resource
required: true
type: string
- name: annotations
type: json
- name: apiVersion
required: true
type: string
- name: auditID
required: true
type: string
- name: kind
required: true
type: string
- name: level
required: true
type: string
- name: requestReceivedTimestamp
required: true
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: requestURI
type: string
- name: responseStatus
type: object
fields:
- name: reason
type: string
- name: message
type: string
- name: status
type: string
- name: code
required: true
type: bigint
- name: sourceIPs
required: true
type: array
element:
type: string
indicators:
- ip
- name: stage
required: true
type: string
- name: stageTimestamp
required: true
type: timestamp
timeFormats:
- rfc3339
- name: user
required: true
type: object
fields:
- name: extra
type: object
fields:
- name: authentication.kubernetes.io/pod-name
type: array
element:
type: string
- name: authentication.kubernetes.io/pod-uid
type: array
element:
type: string
- name: accessKeyId
type: array
element:
type: string
- name: arn
type: array
element:
type: string
indicators:
- aws_arn
- name: canonicalArn
type: array
element:
type: string
indicators:
- aws_arn
- name: sessionName
type: array
element:
type: string
- name: uid
type: string
- name: groups
type: array
element:
type: string
- name: username
type: string
indicators:
- username
- name: userAgent
type: string
- name: verb
required: true
type: string
Amazon.EKS.Authenticator
These logs represent the control plane component that EKS uses for Kubernetes Role Based Access Control (RBAC) authentication using IAM credentials. For more information, see AWS's documentation on EKS control plane logs.
fields:
- name: timestamp
required: true
description: timestamp
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: level
required: true
description: level
type: string
- name: access_key_id
description: access_key_id
type: string
- name: message
required: true
description: message
type: string
- name: account_id
description: account_id
type: string
indicators:
- aws_account_id
- name: arn
description: arn
type: string
indicators:
- aws_arn
- name: client
description: client
type: string
- name: method
description: method
type: string
- name: path
description: path
type: string
- name: session
description: session
type: string
- name: user_id
description: user_id
type: string
- name: groups
description: groups
type: string
- name: uid
description: uid
type: string
indicators:
- trace_id
- name: username
description: username
type: string
indicators:
- usernameLast updated
Was this helpful?
