AWS EKS

Connecting AWS EKS logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Elastic Kubernetes Service (EKS) logs via AWS CloudWatch Logs.

EKS cannot send logs directly S3—instead, you'll need to direct your EKS logs to CloudWatch Logs, then configure a Kinesis Data Firehose to transport them to a S3 bucket, from which Panther will read them.

How to onboard AWS EKS logs to Panther

Step 1: Enable EKS control plane logging

Enabling EKS control plane logs means AWS will begin routing them to CloudWatch Logs.

Step 2: Configure the CloudWatch Logs source in the Panther Console

After you've enabled EKS control plane logging, your EKS audit and authenticator logs will be available in CloudWatch Logs. Now it's time to set up a CloudWatch Logs source in Panther.

  1. In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

  2. In the upper right corner, click Create New.

  3. Click the Custom Log Formats tile.

  4. On the AWS CloudWatch Logs tile, click Start.

  5. On the "Configure your source" page, fill in the fields:

    • Name: Enter a descriptive name of the CloudWatch Logs source.

    • Log Group Name: Enter the unique name of the CloudWatch Logs group. The name format of your AWS CloudWatch Logs LogGroup is /aws/eks/{your_cluster_name}/cluster

    • AWS Account ID: Enter the ID number for the AWS account that hosts the EKS cluster.

    • (optional) Pattern Filter: Enter a pattern on which to filter log events. See AWS's CloudWatch Logs pattern filter documentation to learn more.

    • Log Types: Select Amazon.EKS.Audit and Amazon.EKS.Authenticator.

  6. Click Setup.

Step 3: Set up the S3 bucket, Kinesis Data Firehose, and IAM role

Panther needs a variety of AWS resources to read objects from your CloudWatch Logs source. To configure these, Panther provides a CloudFormation template that sets up a S3 bucket, Kinesis Data Firehose, IAM role, and other necessary resources.

  1. In the Panther Console, click Using the AWS Console UI. You will be redirected to the AWS CloudFormation console UI with the template pre-filled.

    • Note that you also have the options to download the template and apply it through your own pipeline, or to configure the resources manually. For more details, see the CloudWatch Logs Source documentation.

  2. Install the CloudFormation stack template into the AWS account ID and region that hosts the EKS cluster.

    • Make sure to wait for the CloudFormation stack creation to complete.

  3. When the CloudFormation stack is ready, fill in the Bucket Name and Role ARN in the Panther Console.

    • After the CloudFormation stack creation is complete, you can find the resource ARNs in the "Outputs" section of the stack in AWS.

Step 4: Finish source setup in Panther

You will be directed to a success screen:

  • You can optionally enable one or more Detection Packs.

  • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis GitHub repository.

Supported AWS EKS log types

Panther supports Amazon.EKS.Audit and Amazon.EKS.Authenticator logs.

Amazon.EKS.Audit

EKS audit logs provide a record of the individual users, administrators, or system components that have affected your cluster. For more information, see AWS's documentation on EKS control plane logs.

fields:
  - name: responseObject
    type: object
    fields:
      - name: secrets
        type: array
        element:
          type: object
          fields:
            - name: name
              required: true
              type: string
      - name: rules
        type: array
        element:
          type: object
          fields:
            - name: apiGroups
              type: array
              element:
                type: string
            - name: resources
              type: array
              element:
                type: string
            - name: verbs
              type: array
              element:
                type: string
      - name: spec
        type: json
      - name: apiVersion
        type: string
      - name: kind
        type: string
      - name: metadata
        type: object
        fields:
          - name: namespace
            type: string
          - name: annotations
            type: json
          - name: creationTimestamp
            type: timestamp
            timeFormats:
              - rfc3339
          - name: labels
            type: json
          - name: managedFields
            type: array
            element:
              type: object
              fields:
                - name: apiVersion
                  type: string
                - name: fieldsType
                  type: string
                - name: manager
                  type: string
                - name: operation
                  type: string
                - name: time
                  type: timestamp
                  timeFormats:
                    - rfc3339
          - name: name
            type: string
          - name: resourceVersion
            type: string
          - name: uid
            type: string
          - name: ownerReferences
            type: json
  - name: requestObject
    type: object
    fields:
      - name: rules
        type: array
        element:
          type: object
          fields:
            - name: apiGroups
              type: array
              element:
                type: string
            - name: resources
              type: array
              element:
                type: string
            - name: verbs
              type: array
              element:
                type: string
      - name: spec
        type: json
      - name: apiVersion
        type: string
      - name: kind
        type: string
      - name: metadata
        type: object
        fields:
          - name: annotations
            type: json
          - name: namespace
            type: string
          - name: labels
            type: json
          - name: name
            type: string
          - name: ownerReferences
            type: json
          - name: resourceVersion
            type: string
      - name: status
        type: object
        fields:
          - name: $setElementOrder/conditions
            type: array
            element:
              type: object
              fields:
                - name: type
                  type: string
          - name: conditions
            type: array
            element:
              type: object
              fields:
                - name: lastHeartbeatTime
                  type: timestamp
                  timeFormats:
                    - rfc3339
                - name: type
                  type: string
  - name: objectRef
    type: object
    fields:
      - name: subresource
        type: string
      - name: resourceVersion
        type: string
      - name: uid
        type: string
      - name: namespace
        type: string
      - name: name
        type: string
      - name: apiGroup
        type: string
      - name: apiVersion
        required: true
        type: string
      - name: resource
        required: true
        type: string
  - name: annotations
    type: json
  - name: apiVersion
    required: true
    type: string
  - name: auditID
    required: true
    type: string
  - name: kind
    required: true
    type: string
  - name: level
    required: true
    type: string
  - name: requestReceivedTimestamp
    required: true
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: requestURI
    type: string
  - name: responseStatus
    type: object
    fields:
      - name: reason
        type: string
      - name: message
        type: string
      - name: status
        type: string
      - name: code
        required: true
        type: bigint
  - name: sourceIPs
    required: true
    type: array
    element:
      type: string
      indicators:
        - ip
  - name: stage
    required: true
    type: string
  - name: stageTimestamp
    required: true
    type: timestamp
    timeFormats:
      - rfc3339
  - name: user
    required: true
    type: object
    fields:
      - name: extra
        type: object
        fields:
          - name: authentication.kubernetes.io/pod-name
            type: array
            element:
              type: string
          - name: authentication.kubernetes.io/pod-uid
            type: array
            element:
              type: string
          - name: accessKeyId
            type: array
            element:
              type: string
          - name: arn
            type: array
            element:
              type: string
              indicators:
                - aws_arn
          - name: canonicalArn
            type: array
            element:
              type: string
              indicators:
                - aws_arn
          - name: sessionName
            type: array
            element:
              type: string
      - name: uid
        type: string
      - name: groups
        type: array
        element:
          type: string
      - name: username
        type: string
        indicators:
          - username
  - name: userAgent
    type: string
  - name: verb
    required: true
    type: string

Amazon.EKS.Authenticator

These logs represent the control plane component that EKS uses for Kubernetes Role Based Access Control (RBAC) authentication using IAM credentials. For more information, see AWS's documentation on EKS control plane logs.

fields:
    - name: timestamp
      required: true
      description: timestamp
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: level
      required: true
      description: level
      type: string
    - name: access_key_id
      description: access_key_id
      type: string
    - name: message
      required: true
      description: message
      type: string
    - name: account_id
      description: account_id
      type: string
      indicators:
        - aws_account_id
    - name: arn
      description: arn
      type: string
      indicators:
        - aws_arn
    - name: client
      description: client
      type: string
    - name: method
      description: method
      type: string
    - name: path
      description: path
      type: string
    - name: session
      description: session
      type: string
    - name: user_id
      description: user_id
      type: string
    - name: groups
      description: groups
      type: string
    - name: uid
      description: uid
      type: string
      indicators:
        - trace_id
    - name: username
      description: username
      type: string
      indicators:
        - username

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated