AWS Aurora

Connecting AWS Aurora MySQL Relational Database Service (RDS) logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Aurora MySQL Relational Database Service (RDS) logs via AWS S3.

How to onboard AWS Aurora logs to Panther

To pull Aurora logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search "AWS" to see the list of available log sources.
Select AWS Aurora MySQL.
Select AWS S3 Bucket for your source to begin setup. Follow .

Panther-built detections

See Panther's prewritten AWS rules in .

Supported AWS Aurora logs

AWS.AuroraMySQLAudit

schema: AWS.AuroraMySQLAudit
parser:
  native:
    name: AWS.AuroraMySQLAudit
description: AuroraMySQLAudit is an RDS Aurora audit log which contains context around database calls.
referenceURL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html
fields:
  - name: timestamp
    description: The timestamp for the logged event with microsecond precision (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: serverHost
    description: The name of the instance that the event is logged for.
    type: string
  - name: username
    description: The connected user name of the user.
    type: string
  - name: host
    description: The host that the user connected from.
    type: string
  - name: connectionId
    description: The connection ID number for the logged operation.
    type: bigint
  - name: queryId
    description: The query ID number, which can be used for finding the relational table events and related queries. For TABLE events, multiple lines are added.
    type: bigint
  - name: operation
    required: true
    description: 'The recorded action type. Possible values are: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, and DROP.'
    type: string
  - name: database
    description: The active database, as set by the USE command.
    type: string
  - name: object
    description: For QUERY events, this value indicates the executed query. For TABLE events, it indicates the table name.
    type: string
  - name: retCode
    description: The return code of the logged operation.
    type: bigint

PreviousAWS ALB NextAWS Config

Last updated 1 year ago

Was this helpful?

How to onboard AWS Aurora logs to Panther

To pull Aurora logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.

In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.

Click Create New.

Search "AWS" to see the list of available log sources.

Select AWS Aurora MySQL.

Select AWS S3 Bucket for your source to begin setup. Follow .

Supported AWS Aurora logs

AWS.AuroraMySQLAudit

AuroraMySQLAudit is an RDS Aurora audit log containing context on database calls. For more information, see .

schema: AWS.AuroraMySQLAudit
parser:
  native:
    name: AWS.AuroraMySQLAudit
description: AuroraMySQLAudit is an RDS Aurora audit log which contains context around database calls.
referenceURL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html
fields:
  - name: timestamp
    description: The timestamp for the logged event with microsecond precision (UTC).
    type: timestamp
    timeFormat: rfc3339
  - name: serverHost
    description: The name of the instance that the event is logged for.
    type: string
  - name: username
    description: The connected user name of the user.
    type: string
  - name: host
    description: The host that the user connected from.
    type: string
  - name: connectionId
    description: The connection ID number for the logged operation.
    type: bigint
  - name: queryId
    description: The query ID number, which can be used for finding the relational table events and related queries. For TABLE events, multiple lines are added.
    type: bigint
  - name: operation
    required: true
    description: 'The recorded action type. Possible values are: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, and DROP.'
    type: string
  - name: database
    description: The active database, as set by the USE command.
    type: string
  - name: object
    description: For QUERY events, this value indicates the executed query. For TABLE events, it indicates the table name.
    type: string
  - name: retCode
    description: The return code of the logged operation.
    type: bigint