Panther supports ingesting Amazon Web Services (AWS) GuardDuty logs via common options: AWS S3 and AWS SQS.
You can also ingest GuardDuty logs using .
AWS GuardDuty logs video walkthrough
How to onboard AWS GuardDuty logs to Panther
To pull GuardDuty logs into Panther, you will need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search "AWS" to see the list of available log sources.
Select AWS GuardDuty.
Select a transport method for your source to begin setup. Follow Panther’s documentation for configuring S3 or SQS for Data Transport:
Panther-built detections
Querying logs in Data Explorer
Supported AWS GuardDuty logs
AWS.GuardDuty
schema: AWS.GuardDuty
parser:
native:
name: AWS.GuardDuty
description: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts.
referenceURL: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html
fields:
- name: schemaVersion
required: true
description: The schema format version of this record.
type: string
- name: accountId
required: true
description: The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding.
type: string
- name: region
required: true
description: The AWS region in which the finding was generated.
type: string
- name: partition
required: true
description: The AWS partition in which the finding was generated.
type: string
- name: id
required: true
description: A unique identifier for the finding.
type: string
- name: arn
required: true
description: A unique identifier formatted as an ARN for the finding.
type: string
- name: type
required: true
description: A concise yet readable description of the potential security issue.
type: string
- name: resource
required: true
description: The AWS resource against which the activity took place that prompted GuardDuty to generate this finding.
type: json
- name: severity
required: true
description: The value of the severity can fall anywhere within the 0.1 to 8.9 range.
type: float
- name: createdAt
required: true
description: The initial creation time of the finding (UTC).
type: timestamp
timeFormat: rfc3339
- name: updatedAt
required: true
description: The last update time of the finding (UTC).
type: timestamp
timeFormat: rfc3339
- name: title
required: true
description: A short description of the finding.
type: string
- name: description
required: true
description: A long description of the finding.
type: string
- name: service
required: true
description: Additional information about the affected service.
type: object
fields:
- name: additionalInfo
description: AdditionalInfo field
type: json
- name: action
description: Action field
type: json
- name: serviceName
required: true
description: ServiceName field
type: string
- name: detectorId
required: true
description: DetectorID field
type: string
- name: resourceRole
description: ResourceRole field
type: string
- name: eventFirstSeen
description: EventFirstSeen field
type: timestamp
timeFormat: rfc3339
- name: eventLastSeen
description: EventLastSeen field
type: timestamp
timeFormat: rfc3339
- name: archived
description: Archived field
type: boolean
- name: count
description: Count field
type: bigint
GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior inside AWS accounts. For more information, see .
